Microsoft IIS Connection Strings Decryption
Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
Sigma rule (View on GitHub)
1title: Microsoft IIS Connection Strings Decryption
2id: 97dbf6e2-e436-44d8-abee-4261b24d3e41
3status: test
4description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
5references:
6 - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html
7author: Tim Rauch, Elastic (idea)
8date: 2022/09/28
9modified: 2022/12/30
10tags:
11 - attack.credential_access
12 - attack.t1003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_name:
18 - Image|endswith: '\aspnet_regiis.exe'
19 - OriginalFileName: 'aspnet_regiis.exe'
20 selection_args:
21 CommandLine|contains|all:
22 - 'connectionStrings'
23 - ' -pdf'
24 condition: all of selection*
25falsepositives:
26 - Unknown
27level: high
References
-
Microsoft IIS Connection Strings Decryptionedit Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike...
Read More
Related rules
- Microsoft IIS Service Account Password Dumped
- Potential Invoke-Mimikatz PowerShell Script
- Hacktool Execution - PE Metadata
- HackTool - Rubeus Execution
- Shadow Copies Creation Using Operating Systems Utilities